Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package chrony for openSUSE:Factory checked in at 2021-10-19 23:03:29 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/chrony (Old) and /work/SRC/openSUSE:Factory/.chrony.new.1890 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "chrony" Tue Oct 19 23:03:29 2021 rev:33 rq:925526 version:4.1 Changes: -------- --- /work/SRC/openSUSE:Factory/chrony/chrony.changes 2021-09-08 21:36:17.673866065 +0200 +++ /work/SRC/openSUSE:Factory/.chrony.new.1890/chrony.changes 2021-10-19 23:03:31.233264590 +0200 @@ -1,0 +2,9 @@ +Fri Oct 8 14:52:41 UTC 2021 - Reinhard Max <[email protected]> + +- boo#1190926: PrivateDevices is too strict, we might need to + access the rtc and ptp devices. +- Add back support to build chrony on SLE12. +- Drop dependency on asciidoctor. It is only needed for building + the HTML documentation which we don't package anyway. + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ chrony.spec ++++++ --- /var/tmp/diff_new_pack.HEIRnF/_old 2021-10-19 23:03:31.893264889 +0200 +++ /var/tmp/diff_new_pack.HEIRnF/_new 2021-10-19 23:03:31.897264891 +0200 @@ -16,10 +16,20 @@ # +%if 0%{?suse_version} < 1500 +# As of 2021 we still need to be able to build this on SLE12 +%bcond_with pools +%bcond_with sysusers +%bcond_with pps +%else +%bcond_without pools +%bcond_without sysusers +%bcond_without pps +%endif + %bcond_without testsuite %define _systemdutildir %(pkg-config --variable systemdutildir systemd) -#global clknetsim_ver 79ffe44 %global clknetsim_ver f89702d #Compat macro for new _fillupdir macro introduced in Nov 2017 %if ! %{defined _fillupdir} @@ -59,23 +69,31 @@ Patch6: harden_chronyd.service.patch BuildRequires: NetworkManager-devel BuildRequires: bison +BuildRequires: findutils BuildRequires: gcc-c++ BuildRequires: gnutls-devel BuildRequires: libcap-devel BuildRequires: libedit-devel BuildRequires: pkgconfig +%if %{with pps} BuildRequires: pps-tools-devel +%endif # The timezone package is needed for the "make check" tests. It can be # removed if the call to make check is ever deleted. BuildRequires: sysuser-tools BuildRequires: timezone BuildRequires: pkgconfig(systemd) -BuildRequires: rubygem(asciidoctor) Recommends: logrotate Requires(post): %fillup_prereq +%if %{with sysusers} %sysusers_requires +%else +Requires(pre): %{_sbindir}/useradd +%endif +%if %{with pools} Requires: %name-pool Recommends: %name-pool-nonempty +%endif Provides: ntp-daemon %ifarch s390 s390x ppc64le BuildRequires: libseccomp-devel >= 2.2.0 @@ -105,6 +123,7 @@ running on the same computer as the chronyd instance it is controlling or a different computer. +%if %{with pools} %package pool-suse Summary: Chrony preconfiguration for SUSE Group: Productivity/Networking/Other @@ -149,16 +168,17 @@ situations when having servers preconfigured in chrony is undesirable, e.g. because the servers will be set via DHCP. +%endif + %prep %setup -q -a 10 -sed -e 's-@CHRONY_HELPER@-%{chrony_helper}-g' -i %{PATCH1} %{SOURCE3} %{SOURCE5} %patch0 -p1 %patch1 -p1 %patch2 -p1 %patch3 %patch4 %patch5 -p1 -%patch6 -p1 +%patch6 # Remove pool statements from the default /etc/chrony.conf. They will # be provided by branding packages in /etc/chrony.d/pool.conf . @@ -190,8 +210,16 @@ --with-hwclockfile=%{_sysconfdir}/adjtime \ --with-sendmail=%{_sbindir}/sendmail \ --enable-ntp-signd -make %{?_smp_mflags} all docs +make %{?_smp_mflags} all +%if %{with sysusers} %sysusers_generate_pre %{SOURCE14} chrony system-user-chrony.conf +%else +cat > chrony.pre <<EOF +%{_sbindir}/groupadd -r chrony >/dev/null 2>&1 || : +%{_sbindir}/useradd -g chrony -s /bin/false -r -c "Chrony Daemon" \ + -d "%{_localstatedir}/lib/chrony" chrony >/dev/null 2>&1 || : +EOF +%endif %install %make_install @@ -232,13 +260,17 @@ install -d %{buildroot}%{_localstatedir}/log/chrony touch %{buildroot}%{_localstatedir}/lib/chrony/{drift,rtc} +%if %{with pools} # Install the NTP pool files install -Dpm 644 %{SOURCE12} %{SOURCE13} %{buildroot}/etc/chrony.d -touch %{buildroot}/etc/chrony.d/pool.conf.empty +echo '# Add ntp pools here' > %{buildroot}/etc/chrony.d/pool.conf.empty +%endif mkdir -p %{buildroot}%{_sysusersdir} install -m 0644 %{SOURCE14} %{buildroot}%{_sysusersdir}/ +find %{buildroot} -type f | xargs sed -i 's-@CHRONY_HELPER@-%{chrony_helper}-g' + %if %{with testsuite} %ifnarch %ix86 %check @@ -265,7 +297,12 @@ %service_del_postun chronyd.service chrony-wait.service %files +%defattr(-,root,root) +%if 0%{?suse_version} >= 1500 %license COPYING +%else +%doc COPYING +%endif %doc FAQ NEWS README %doc examples %config(noreplace) %attr(0640,root,%{name}) %{_sysconfdir}/chrony.conf @@ -295,13 +332,15 @@ %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %ghost %attr(0750, %{name}, %{name}) %{_rundir}/%{name} +%if %{with pools} %files pool-empty -%config (noreplace) /etc/chrony.d/pool.conf.empty +%attr(-,root,root)%config (noreplace) /etc/chrony.d/pool.conf.empty %files pool-suse -%config (noreplace) /etc/chrony.d/pool.conf.suse +%attr(-,root,root)%config (noreplace) /etc/chrony.d/pool.conf.suse %files pool-openSUSE -%config (noreplace) /etc/chrony.d/pool.conf.opensuse +%attr(-,root,root)%config (noreplace) /etc/chrony.d/pool.conf.opensuse +%endif %changelog ++++++ harden_chronyd.service.patch ++++++ --- /var/tmp/diff_new_pack.HEIRnF/_old 2021-10-19 23:03:32.013264943 +0200 +++ /var/tmp/diff_new_pack.HEIRnF/_new 2021-10-19 23:03:32.013264943 +0200 @@ -1,19 +1,17 @@ -Index: chrony-4.1/examples/chronyd.service -=================================================================== ---- chrony-4.1.orig/examples/chronyd.service -+++ chrony-4.1/examples/chronyd.service -@@ -17,6 +17,15 @@ ExecStart=/usr/sbin/chronyd $OPTIONS +--- examples/chronyd.service.orig ++++ examples/chronyd.service +@@ -18,6 +18,15 @@ ExecStartPost=@CHRONY_HELPER@ update-dae PrivateTmp=yes ProtectHome=yes ProtectSystem=full +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort -+PrivateDevices=true +ProtectHostname=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +DeviceAllow=char-rtc ++DeviceAllow=char-ptp +# end of automatic additions [Install]
